Abstract
We propose two novel ecoupon systems that can achieve the following new properties: (1) The coupon issuer (or service provider) can trace the identity of a dishonest user while the identity privacy (or anonymity) of a honest user is still well protected. (2) A honest user’s redemption privacy (i.e., the items chosen when redeeming an ecoupon) is well protected from the service provider. (3) If a dishonest user redeems an ecoupon for more than the predetermined number of times, then the user will lose the redemption privacy (i.e., all the choices the user has made in the previous redemptions can be revealed). We first propose a novel blind signature scheme that we employ together with oblivious transfer to construct our first ecoupon system, which achieves the first two properties without the involvement of any trusted third party. Then we propose a novel oblivious transfer scheme and use it to construct the second ecoupon system that can achieve all the properties given above. We also define the formal security models for these new security requirements, and show that our new ecoupon systems are proven secure in the proposed models.
This is a preview of subscription content, log in to check access.
References
 1.
Aiello, W., Ishai, Y., & Reingold, O. (2001). Priced oblivious transfer: How to sell digital goods. In Advances in cryptology—EUROCRYPT 2001, international conference on the theory and application of cryptographic techniques (pp. 119–135), Innsbruck.
 2.
Bellare, M., & Goldreich, O. (1992). On defining proofs of knowledge. In Advances in Cryptology—CRYPTO ’92, 12th Annual international cryptology conference (pp. 390–420), Santa Barbara, CA.
 3.
Bellare, M., & Rogaway, P. (1993). Random oracles are practical: A paradigm for designing efficient protocols. In CCS’93, proceedings of the 2009 ACM conference on computer and communications security (pp. 62–73), Fairfax, VA.
 4.
Bellare, M., Namprempre, C., Pointcheval, D., et al. (2003). The onemorersainversion problems and the security of chaum’s blind signature scheme. Journal of Cryptology, 16(3), 185–215.
 5.
Bellare, M., & Palacio A. (2004). The knowledgeofexponent assumptions and 3round zeroknowledge protocols. In Advances in cryptology—CRYPTO, 24th annual international cryptology conference (pp. 273–289), Santa Barbara, CA.
 6.
Brands, S. (1993). Untraceable offline cash in wallets with observers (extended abstract). In Advances in cryptology—CRYPTO ’93, 13th annual international cryptology conference (pp. 302–318), Santa Barbara, CA.
 7.
Brassard, G., Crépeau, C., & Robert, JM. (1986). Allornothing disclosure of secrets. In Advances in cryptology—CRYPTO ’86 (pp. 234–238), Santa Barbara, CA.
 8.
Camenisch, J., Dubovitskaya, M., & Neven G. (2009). Oblivious transfer with access control. In Proceedings of the 2009 ACM conference on computer and communications security (pp. 131–140), Chicago, IL.
 9.
Camenisch, J., Dubovitskaya, M., & Neven, G. (2010). Unlinkable priced oblivious transfer with rechargeable wallets. In 14th International conference on financial cryptography and data security, FC 2010 (pp. 66–81), Tenerife.
 10.
Camenisch, J., Neven, G., & Shelat, A. (2007). Simulatable adaptive oblivious transfer. In Advances in cryptology—EUROCRYPT 2007, 26th annual international conference on the theory and applications of cryptographic techniques (pp. 573–590), Barcelona.
 11.
Canard, S., Gouget, A., & Hufschmitt, E. (2006). A handy multicoupon system. In ACNS (pp. 66–81).
 12.
Chaum, D. (1982). Blind signatures for untraceable payments. CRYPTO (pp. 199–203).
 13.
Chaum, D., Fiat, A., & Naor, M. (1988). Untraceable electronic cash. In Advances in cryptology—CRYPTO ’88, 8th annual international cryptology conference (pp. 319–327), Santa Barbara, CA.
 14.
Chen, L., Enzmann, M., Sadeghi, AR., et al. (2005). A privacyprotecting coupon system. In Financial cryptography (pp. 93–108).
 15.
Chu, C. K., & Tzeng, W. G. (2005). Efficient koutofn oblivious transfer schemes with adaptive and nonadaptive queries. In Public key cryptography (pp. 172–183).
 16.
Coull, SE., Green, M., & Hohenberger S. (2009). Controlling access to an oblivious database using stateful anonymous credentials. In Public key cryptography—PKC 2009, 12th international conference on practice and theory in public key cryptography (pp. 501–520), Irvine, CA.
 17.
Even, S., Goldreich, O., & Lempel, A. (1985). A randomized protocol for signing contracts. Communications of the ACM, 28(6), 637–647.
 18.
Guo, P., Wang, J., Li, B., & Lee, S. (2014). A variable thresholdvalue authentication architecture for wireless mesh networks. Journal of Internet Technology, 15(6), 929–936.
 19.
Han, J. G., Susilo, W., Mu, Y., et al. (2012). Efficient oblivious transfers with access control. Computers & Mathematics with Applications, 63(4), 827–837.
 20.
Juels, A., Luby, M., & Ostrovsky, R. (1997). Security of blind digital signatures (extended abstract). In CRYPTO (pp. 150–164).
 21.
Kilian, J. (1988). Founding cryptography on oblivious transfer. In Proceedings of the 20th annual ACM symposium on theory of computing (pp. 20–31).
 22.
Liao, L., & Shu, C. (2015). Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels. Journal of Visual Communication and Image Representation, 28(4), 21–27.
 23.
Liu, W., Mu, Y., & Yang, G. M. (2014). An efficient privacypreserving ecoupon system. In Information security and cryptology—10th international conference (pp. 1–13), Beijing.
 24.
Ma, X., Xu, L., & Zhang, F. G. (2011). Oblivious transfer with timedrelease receiver’s privacy. Journal of Systems and Software, 84(3), 460–464.
 25.
Mu, Y., Nguyen, K. Q., & Varadharajan, V. (2001). A fair electronic cash scheme. In ISEC 2001, topics in electronic commerce, second international symposium (pp. 20–32), Hong Kong.
 26.
Mu, Y., Zhang, J. Q., & Varadharajan, V. (2002). m out of n oblivious transfer. In ACISP 2002, 7th Australian conference on information security and privacy (pp. 395–405), Melbourne.
 27.
Naor, M., & Pinkas, B. (2005). Computationally secure oblivious transfer. Journal of Cryptology, 18(1), 1–35.
 28.
Naor, M., & Pinkas, B. (1999). Oblivious transfer with adaptive queries. In Advances in cryptology—CRYPTO ’99, 19th annual international cryptology conference (pp. 573–590).
 29.
Nguyen, L., & SafaviNaini, R. (2005). ktimes anonymous authentication. In Applied cryptography and network security—ACNS 2005, third international conference (pp. 318–333).
 30.
Nguyen, L. (2006). Privacyprotecting coupon system revisited. In Financial cryptography (pp. 266–280).
 31.
Teranishi, I., Furukawa, J., & Sako, K. (2004). ktimes anonymous authentication (extended abstract). In Advances in cryptology—ASIACRYPT 2004, 10th international conference on the theory and application of cryptology and information security (pp. 308–322).
 32.
Pointcheval, D., & Stern, J. (1996). Security proofs for signature schemes. In Advances in cryptology—EUROCRYPT ’96, international conference on the theory and application of cryptographic techniques (pp. 387–398), Saragossa.
 33.
Rabin, M. O. (1981). How to exchnge secrets by oblivious transfer. Technical Report, TR81, Computer Science Laboratory, Harvard.
 34.
Schnorr, C. P. (1989). Efficient identification and signatures for smart cards. In Advances in cryptology—CRYPTO ’89, 9th annual international cryptology conference (pp. 239–252).
 35.
Stadler, M., Piveteau, J. M., & Camenisch, J. (1995). Fair blind signatures. In EUROCRYPT (pp. 209–219).
 36.
Yao, A. C. C. (1986). How to generate and exchange secrets (extended abstract). In 27th annual symposium on foundations of computer science (pp. 162–167), Toronto.
Author information
Appendix
Appendix
We analyze the security of the proposed oblivious transfer scheme under halfsimulation model [27] in this section.
Theorem 10
The proposed OTRRP scheme provides receiver’s privacy for honest receivers.
Proof
Suppose a honest receiver runs the OT protocol with the sender for k times. The sender could obtain k pairs of transcripts \(\{(A_1,B_1,f(B_1)),(A_2,B_2, f(B_2)),\ldots ,(A_k,B_k,f(B_k))\}\) such that \(A_1=g^{r_1x}h^{\alpha _1},A_2=g^{r_2x}h^{\alpha _2},\ldots ,A_k=g^{r_kx}h^{\alpha _k}\), where \(\alpha _1,\alpha _2,\ldots ,\alpha _k\in \{1,2,\ldots ,n\}\) are the user’s choice and \(r_1,r_2, \ldots ,r_k\in _R\mathbb {Z}_q^*\). Given \(B_j=g^{r_j},rpk=g^x\) for some random \(r_j\in \mathbb {Z}_q^*\), it is computationinfeasible to decide the masked value equals \(g^{r_jx}\) or a random value Z in \(G_q\), thus for any two transcripts \(A_j\) and \(A_i\) such that \(1\le i \ne j \le k\) from the user, they are computationally indistinguishable to the service provider as long as the DDH problem is hard in \(G_q\). \(\square \)
Claim
The proposed encryption scheme is semantic secure.
Proof
As can be seen in the proposed OT scheme, the cipertext is \(c_i=((rpk)^{k_i},m_i(A_i/h^i)^{k_i})\) where \(k_i\in _R\mathbb {Z}_q\), for \(1\le i\le n\). The proposed encryption scheme in our OT scheme is a variant of ElGamal encryption. Therefore the encryption scheme is semantic secure. \(\square \)
Theorem 11
The proposed OTRRP scheme provides sender’s privacy.
Proof
Suppose a honest receiver runs the OT protocol with the sender k times. For any probabilistic polynomialtime malicious receiver \(\hat{U}\) in the realworld model, we are able to construct a probabilistic polynomialtime malicious receiver \(\hat{U}^*\) in the ideal model such that the outputs of \(\hat{U}\) and \(\hat{U}^*\) are indistinguishable. \(\square \)
Briefly, the idealworld cheating receiver \(\hat{U}^*\) can extract \(\alpha \) from the proof of knowledge. This enables him to obtain the message \(m_\alpha \) form the TTP. \(\hat{U}^*\) simulates the honest sender S in the realworld and interacts with \(\hat{U}\) as follows:

1.
S sends \(m_1,m_2,\ldots ,m_n\) to the trusted third party TTP.

2.
\(\hat{U}^*\) sends \(c_1^*,c_2^*,\ldots ,c_n^*\) to TTP such that \(c_i^*\in _R G_q\) for \(i=1,2,\ldots ,n\).

3.
\(\hat{U}^*\) monitors the outputs \(A_{\alpha _1},A_{\alpha _2},\ldots ,A_{\alpha _k}\) of \(\hat{U}\), \(\hat{U}^*\) chooses \(A_{\alpha _1}^*,A_{\alpha _2}^*,\ldots ,\) \(A_{\alpha _k}^*\in _R G_q\).

4.
After \(\hat{U}\) runs \(Request \) protocol, if the verification of PoK fails, \(\hat{U}^*\) sends a value \(\alpha _i\notin \{1,2,\ldots ,n\}\) to TTP.

5.
If the verification of PoK successes, \(\hat{U}^*\) extracts \(\hat{U}\)’s choice \(\alpha _i\) from the PoK and gets back \(c_{\sigma _1}^*,c_{\sigma _2}^*,\ldots ,c_{\sigma _k}^*\) such that \(c_{\sigma _i}^*\in _R G_q\) for \(i=1,2,\ldots ,k\).

6.
If \(\hat{U}\) can compute \(g^{xr_{\alpha _i}}\), \(\hat{R}^*\) sends \(\alpha _i\) to TTP, TTP returns \(\frac{c_{\alpha _i,2}^*}{m_{\alpha _i}}\).

7.
\(\hat{U}^*\) outputs \((A_{\alpha _1}^*,A_{\alpha _2}^*,\ldots ,A_{\alpha _k}^*;c_1^*,c_2^*,\ldots ,c_n^*)\).
We can see from Theorem 10 and the Claim that \(\{A_{\alpha _1},A_{\alpha _2},\ldots ,A_{\alpha _k}\}\) and \(\{c_1,c_2,\ldots ,c_n\}\) are indistinguishable from random elements in \(G_q\). Therefore, no distinguishers can distinguish the outputs of \(\hat{U}\) and \(\hat{U}^\prime \) with a nonnegligible probability.
Rights and permissions
About this article
Cite this article
Liu, W., Mu, Y., Yang, G. et al. Efficient Ecoupon systems with strong user privacy. Telecommun Syst 64, 695–708 (2017). https://doi.org/10.1007/s1123501602013
Published:
Issue Date:
Keywords
 Privacy of purchase
 Traceability
 Unforgeability
 Anonymity
 Detection of misusing